Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8261534

Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined

    XMLWordPrintable

    Details

    • Subcomponent:
    • Introduced In Build:
      b05
    • Introduced In Version:
      17
    • Resolved In Build:
      b10

      Backports

        Description

        Running test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java on platforms that are no Windows x86-32, Windows amd64, Linux x86-64 and Mac x86-64 fails with an exception:

        java.security.AccessControlException: access denied ("java.security.SecurityPermission" "removeProvider.SUN")
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
        at java.base/java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1521)
        at java.base/java.security.Security.check(Security.java:832)
        at java.base/java.security.Security.removeProvider(Security.java:444)
        at IllegalPackageAccess.main(IllegalPackageAccess.java:81)
        at PKCS11Test.premain(PKCS11Test.java:171)
        at PKCS11Test.testNSS(PKCS11Test.java:568)
        at PKCS11Test.main(PKCS11Test.java:207)
        at IllegalPackageAccess.main(IllegalPackageAccess.java:69)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
        at java.base/java.lang.Thread.run(Thread.java:831)

        Root cause is that the test materializes and installs a policy by obtaining the current policy (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L46). At the time it tries to remove a provider (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java#L80), the materialized policy is used for an access check, due to some intricacies of the java.security.Policy implementation (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/src/java.base/share/classes/java/security/Policy.java#L293). This policy does not allow the removal of a provider.
        On platforms where the test runs through PKCS11Test::fetchNssLib, the default policy is reset (https://github.com/openjdk/jdk/blob/4be2173478bd1e84946bd903b350ce466bddb36b/test/jdk/sun/security/pkcs11/PKCS11Test.java#L859) which makes the test work. But if we don't pass there, the test fails.

        Fix would be to unconditionally call Policy.setPolicy(null); in IllegalPackageAccess before installing MyPolicy or alternatively have MyPolicy::implies always return true unless it's about "accessClassInPackage.com.sun.crypto.provider".

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                clanger Christoph Langer
                Reporter:
                clanger Christoph Langer
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: